SolarWinds uses cookies on our websites to facilitate and improve your online experience. By continuing to use our website, you consent to our use of cookies. For further details on cookies, please see our cookies policy.

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:Deploying the Orion PlatformConfiguring Orion views, maps, and accountsConfiguring Orion alerts and reports

Require Passive FTP transfers or disable Active mode

Table of contents

Overview

Many security teams now prohibit outbound connections from FTP servers. Since outbound connections are required for FTP active mode transfers, this means that passive mode transfers, which only involve inbound connections, are required instead.

Firewall technicians often enforce this requirement by setting up firewall rules that prohibit all outbound connections. However, this often leads to connectivity issues and support calls from users who simply see failed transfers and timeouts when they attempt to perform active mode transfers.

A more elegant solution is to turn off active mode transfers at the server level and configure the FTP server to send back helpful error messages that tell end users to stop using active mode transfers. The following instructions tell how to do this in the Serv-U FTP server by disabling two active mode commands (PORT and EPRT) and changing the text Serv-U sends in its "command not implemented" error message.

Environment

Serv-U v14.0 and later

Steps

Open your Serv-U Management Console, select the appropriate domain, and then navigate to the Limits & Settings tab.

Click Global Properties at the bottom of the FTP Settings tab. This will open the FTP Command Properties tab.

Double-click the 502 - Command not implemented entry. Change the text from "Command not implemented." to either "Command not implemented. (Note that ACTIVE mode is not supported!)" or "Command not implemented. (ACTIVE mode is not supported - use PASSIVE instead!)" Then click Save.

To test, connect to Serv-U using an FTP client that is set up to only support active mode. Connect to the server, attempt a directory listing or transfer, and look for your custom 502 error message. Then reconfigure the FTP client to support passive mode, reconnect, and make sure passive transfers work.

Firewall rules that prohibit all outbound connections from Serv-U should still be implemented; these instructions simply avoid support calls by helping end users understand why their active mode transfer are failing.

These instructions also apply when Serv-U Gateway is used to avoid deploying Serv-U in a DMZ segment.

While it is possible to enable or disable FTP commands at the domain level, making this type of change at the server level is preferred because your firewall team will probably not be interested in making outbound connection exceptions for specific FTP server domains.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.